Model Data Sharing Agreement Information and Privacy Commissioner of

Transcription

Model Data Sharing Agreement Information and Privacy Commissioner of
Information
and Privacy
Commissioner of
Ontario
Model Data Sharing Agreement
Tom Wright
Commissioner
December 1995
Information and Privacy
Commissioner of Ontario
2 Bloor Street East
Suite 1400
Toronto, Ontario
CANADA
M4W 1A8
416-326-3333
1-800-387-0073
Fax: 416-325-9195
TTY (Teletypewriter): 416-325-7539
Website: www.ipc.on.ca
Table of Contents
Introduction...................................................................................................... 1
Model Agreement.............................................................................................. 2
Definitions......................................................................................................... 2
Model Data Sharing Agreement........................................................................ 3
Introduction
Government organizations which are subject to the Freedom of Information and Protection of
Privacy Act (the provincial Act) and the Municipal Freedom of Information and Protection of
Privacy Act (the municipal Act) sometimes share personal information. The Information and
Privacy Commissioner/Ontario (IPC) has drafted a model agreement to assist these organizations
in complying with the privacy provisions of the Acts when sharing data containing personal
information.
The Acts provide individuals with two legal rights:
• The right of access to government information, including personal information about
themselves.
• The right to privacy with respect to the protection of their personal information contained
in government records.
However, the right to privacy is not absolute. In certain circumstances, the right to privacy must
be weighed against various public interests. While the IPC recognizes this, a few words about
the privacy-invasive nature of data sharing are considered to be warranted.
Sharing personal information between two organizations runs counter to two of the most
fundamental principles of data protection — that personal information should be collected
directly from the individual to whom it pertains, and should only be used for the purpose for
which it was collected [with limited exceptions]. Data sharing respects neither of these principles.
Data sharing involves information that has been collected indirectly, and used for a purpose
which may not have been intended at the time of the original collection.
Government organizations may want to share data for the purpose of comparing or matching
two data bases. For example, they may try to identify individuals who should not be receiving
services from more than one organization. This data matching is sometimes referred to as a
"fishing expedition" which compromises the privacy of the majority in an attempt to capture
the suspect few.
Data sharing between organizations may lead to individuals' loss of control over their personal
information. Therefore, where possible, sharing should not occur without exploring less privacyintrusive means of meeting a specific objective. Before making a decision to share personal data,
organizations should consider all practical alternatives which are more privacy protective, and
all relevant information. They should also consider the merits of any contemplated data sharing
and whether sharing is appropriate.
The IPC believes that any sharing of personal information should be supported by a written
"Data Sharing Agreement." Such an agreement will clarify the rights and obligations of all parties
in a data sharing activity and thereby ensure compliance with the Acts.
1
Although government organizations may be subject to other legislation, regulation or business
practice, this model agreement only addresses privacy issues related to the Acts.
Model Agreement
The attached model agreement contains the minimum issues that should be considered when an
organization first contemplates conducting a data sharing activity. The model includes suggested
wording. Text within the square brackets [ ] will vary.
The "Notes" and "Guidelines" sections review each issue in detail to help organizations understand
the specific types of information to examine. The "Notes" apply to the issues which must be
addressed and "Guidelines" apply to issues which should be considered.
Where sections of the Acts are cited, the sections of the provincial Act appear first, followed by
a slash (/) and the corresponding sections of the municipal Act, e.g., 38(2)/28(2).
Definitions
For the purposes of this model Data Sharing Agreement, the IPC defines "data sharing" as:
The exchanging, collecting or disclosing of "personal information" by an organization
with other organizations such as any federal or provincial government ministry, agency,
board, or commission, any municipality or local government agency, city, town,
village, police service, any private company, or any foreign government. This includes
sharing for purposes of "computer matching" as defined in the Ontario Government's
Management Board of Cabinet's Directive 8-2. The data sharing activity may be carried
out by using any transmission method (paper/electronic), and may take place over any
time period (daily/monthly/etc.).
"Personal information" is defined in section 2(1) of both Acts.
Management Board of Cabinet's Directive 8-2, defines "computer matching" as:
A computerized comparison of two or more databases of personal information that
were originally collected for different purposes. The computer matching program
creates or merges files on identifiable individuals to identify matters of interest.
It should be noted that Directive 8-2 applies only to organizations that are subject to the
provincial Act.
2
Model Data Sharing Agreement
AGREEMENT
[Indicate the title of the agreement concerning the sharing of personal information.]
BETWEEN
[Organization A], (hereinafter referred to as "the disclosing party") OF THE FIRST PART
AND
[Organization B], (hereinafter referred to as "the collecting party") OF THE SECOND PART
WHEREAS …
Notes:
• Identify all the parties to the Agreement.
• Outline the reasons for the Data Sharing Agreement and indicate any legislative authority
for the disclosure and the collection of the personal information. (For instance, the
legislation that governs the program activity.)
THE PARTIES AGREE AS FOLLOWS:
1. DEFINITIONS
Notes:
• Include definitions of any terms which may be unique to the subject matter of the Agreement,
or which may not be common knowledge, e.g., program terms, acronyms, etc.
2. PURPOSE OF THE DATA SHARING
The purpose of this data sharing activity is [state the specific purpose for both the collection
and disclosure of the personal information].
Guidelines:
• If personal information is shared for research purposes, the organization should consider
the terms and conditions relating to security and confidentiality, as outlined in section 10
of Regulation 460/section 10 of Regulation 823 under the Act. If so, identify whether the
personal information will be used for research or administrative purposes.
3
• Identify whether the personal information will be linked or matched with other data
banks in order to achieve the purpose of the data sharing activity.
• If personal information is shared to facilitate a computer match, and a provincial organization
is involved, state the purpose of the match and whether a Computer Matching Assessment
has been sent to the IPC for comment as required by Management Board Directive 8-2.
• Organizations should prepare a detailed business case outlining why there is a need for
data sharing. The business case should:
- Identify the goals or objectives of the data sharing activity and the anticipated benefits.
• Identify the potential risks or consequences of not conducting the data sharing activity.
• Clarify why personal information must be shared at this time.
• Clarify why the personal information needs to include personal identifiers.
• State the purpose(s) for which the personal information was originally collected.
• Identify why the personal information must be collected indirectly and the advantages of
sharing the data against alternative methods of achieving the same objectives.
3. AUTHORITY TO SHARE DATA
Section [specify the section of the Act which provides the authority to share data] authorized
the collection and/or disclosure of this personal information.
Guidelines:
• Organizations must comply with sections 38(2)/28(2) of the Act with respect to the
authority to collect the personal information being shared, and with section 42/32 of the
Act with respect to the disclosure of that personal information.
4. PERSONAL INFORMATION TO BE SHARED
The disclosing party will provide to the collecting party:
(a) [List all elements of personal information that will be disclosed and collected for each
purpose that has been identified above.]
(b)
(c)
4
The disclosing party will provide to the collecting party, a computer disk of the personal
information that is identified in clause [specify clause in Agreement], on [specify frequency].
Guidelines:
• Identify whether personal information is about one individual or a group of
individuals.
• Estimate the number of records to be shared and the current storage format or medium,
for example; computer tape, computer disk, paper, etc.
• Identify how the personal information will be disclosed and the frequency of data
sharing.
• The exact nature of the personal information to be shared must be identified in detail.
The parties should use the definition of personal information in section 2(1) of the Act
as the basis for its description. Only those components of personal information that
are absolutely necessary to achieve the purpose of the data sharing activity should be
shared.
5. USE OF PERSONAL INFORMATION
The information provided by the disclosing party to the collecting party shall only be used in
compliance with section(s) [state the sections] of the Freedom of Information and Protection of
Privacy Act or Municipal Freedom of Information and Protection of Privacy Act to:
(a) [list specific use of personal information]
(b) [list other uses of personal information (if applicable)]
Neither party shall use the personal information provided under this Agreement for any purpose
other than that set out in the Agreement and which is specifically authorized by the Act.
Guidelines:
• In addition, the Agreement should include confidentiality provisions to ensure that
any personal information obtained/disclosed in connection with the Agreement, is not
subsequently disclosed unless the disclosure is in compliance with section 42/32 of the
Act.
• Describe in detail the use(s) of the personal information and how this use complies with
the Act, and that the personal information will not be used for purposes other than those
set out in the Data Sharing Agreement.
5
6. MANNER OF COLLECTION
[State which section(s) of the Act permits the collection of personal information indirectly. If no
section applies, the collecting party (if subject to the Act) must apply to the IPC for an indirect
collection authorization.]
Guidelines:
• Section 39(1)/29(1) of the Act requires organizations to collect personal information directly
from the individual to whom it relates unless certain conditions apply. The organization
should specify which of the conditions in section 39(1)/29(1) of the Act applies to the
collection of the personal information.
7. NOTICE REQUIREMENT
Notice to individuals to whom the personal information relates shall be provided by the collecting
party in accordance with section 39(2) and (3)/29(2) and (3) of the Act.
OR
The collecting party must apply to the responsible minister for a waiver of notice in accordance
with section 39(2)/29(3) of the Act.
Guidelines:
• Describe how, and at what stage of the data sharing activity, the notice provisions will be
complied with.
8. METHOD OF SHARING DATA
Personal information described in clause 4 above, shall [describe the procedures or methods that
will be used to share the personal information (e.g., photocopies of hard copy records, copying
of computer tapes or disks, electronic data interchange, direct electronic linkage, etc.)].
Notes:
• The organization(s) should also:
- Identify what (if any) personal information will be linked or matched with other
information in order to achieve the purpose of the data sharing activity.
- Identify the sampling techniques to be used, if only a sample of records is needed.
- Identify any technical problems involved with the data sharing and the strategy which
has been developed to minimize these problems. (e.g., physical loss of data during
transfer.)
6
9. ACCURACY AND SECURITY OF THE PERSONAL INFORMATION
To ensure compliance with section 40(2)/30(2) of the Act, the parties shall . . .
Notes:
• Describe what steps will be taken to verify the accuracy and completeness of the personal
information before it is used.
• Identify the steps that will be taken to ensure that the personal information is up-todate.
• Describe the measures that will be taken to ensure that the personal information will be
protected against unauthorized access and that only authorized persons will have access
to it.
• The organization should identify the measures that will be used to ensure that personal
information shared through this Data Sharing Agreement is protected against loss and
unauthorized access during transfer, as well as unauthorized access, use and disclosure
after transfer.
• For any personal information stored on a computer:
- identify the method of transfer;
• identify the controls in place to ensure the security and completeness of transmission
(encryption);
• identify the controls in place to ensure that only the required personal information will
be transferred; and
• describe the types of audit trails and/or management reports produced to ensure that
personal information will be processed in a complete and accurate manner.
Guidelines:
Describe the steps that will be taken to ensure compliance with the requirement under the Act
to attach a statement of disagreement to an individual's personal information, reflecting any
correction that was requested by that individual but was not made by the organization.
10. DURATION OF DATA SHARING AND RETENTION OF PERSONAL INFORMATION
This Agreement shall commence on, and take affect from [start date] and will terminate on
[termination date].
7
To ensure compliance with section 40(1)/30(1) of the Act, the information collected for the
purposes of this Agreement shall be retained for a period of [indicate the length of time the
personal information will be retained].
Notes:
• State whether the proposed data sharing will be a one-time occurrence, time-limited, or
ongoing.
Guidelines:
• Describe in detail what will happen to any personal information upon completion of the
Agreement. It is preferable that there is a clause committing each party to either return or
destroy the collected personal information in compliance with the Act. This final activity
should be confirmed in writing.
11. TERMINATION OF THE DATA SHARING ACTIVITY
In the event of the termination of this Agreement, the personal information shared under this
Agreement shall be returned to the disclosing party, or disposed of by [supply details of the
disposal]. Each party shall send a letter to the other confirming that the disposal has been done
in the agreed manner.
Notes:
• Describe in detail what will happen to any personal information upon termination of
the Agreement. Upon termination of the Agreement, it is preferable that there is a clause
committing each party to either return or destroy the collected personal information in
compliance with the Act. This final activity must be confirmed in writing.
Guidelines:
The organization should ensure that the Data Sharing Agreement addresses the disposition
of the personal information upon termination of the Agreement. Ideally, the disclosing party
should regain custody of the personal information disclosed to the collecting party, especially
if the collecting party is not subject to the Act.
12. PERSONAL INFORMATION BANKS
The disclosing party shall attach or link to the personal information bank this new use of personal
information in accordance with section 46/35 of the Act.
The collecting party shall create a personal information bank in its directory of records in
accordance with section 45/34 of the Act.
8
Notes:
State whether the index of Personal Information Banks will be amended to reflect any new uses/
disclosures as a result of the data sharing.
13. AMENDING PROCEDURES
This Agreement may be amended by the written agreement of the parties herein.
Notes:
• Any amendments must comply with the requirements of the Act.
14. CHANGES THAT AFFECT THE AGREEMENT
The parties undertake to give one another written notice of any changes in legislation, regulations
or policies respecting those parties and programs that are likely to affect this Agreement.
15. OTHER CLAUSES
The parties agree that any policies or procedures dealing with the security, access, retention and
disposal of the shared personal information, are in accordance with the Act.
Notes:
• Include any clauses such as financial arrangements that do not fall under any of the
foregoing headings.
IN WITNESS WHERE OF this Agreement has been signed on behalf of the disclosing party
by
[Head of Organization A] [Date] [Witness]
IN WITNESS WHERE OF this Agreement has been signed on behalf of the collecting party
by
[Head of Organization B] [Date] [Witness]
Please include all appropriate Appendices.
9
Information and Privacy
Commissioner of Ontario
2 Bloor Street East
Suite 1400
Toronto, Ontario
CANADA
M4W 1A8
416-326-3333
1-800-387-0073
Fax: 416-325-9195
TTY (Teletypewriter): 416-325-7539
Website: www.ipc.on.ca